Audit demanded by client

We own and license a web service that stores information and displays it to users, through a front end website. One of our existing clients has just licensed it and they have provided an extensive network and security questionnaire and one of the requirements is to provide a copy of the security audit. Since we never factored this in to our license, I need to understand what the best approach to this may be, what do I need, and who I can hire to perform the task.

Answer: The first thing you should identify is which level of independence is required by the client for this security audit, since there is three possible levels: first-party audit (when your organization audits itself), second-party audit (when the client, or another organization accepted by it, audits your organization), and third-party audit (when an organization independent from your organization and from the client audits your organization).

If a first-party audit is sufficient for the client, and you al ready have an internal audit process running, you should include in your internal audit program an audit covering this web service considering the network and security questionnaire sent by the client. If you do not have an internal audit process, please consider the answer for third-party audit, presented at the end of this answer. This is the cheapest audit process, but the low degree of independence may not be sufficient for some organizations.

If a second-party audit is required, you should contact the client to identify who will be responsible for the audit (the client itself or another accepted organization), and define with this responsible the arrangements for the audit. Depending upon who will pay for the audit, this kind of audit may become onerous for you or your client, specially for you if you have many clients demanding this type of audit and each one requires different organization to perform it. In such cases, aiming for a third-party audit may prove a better option.

If a third-party audit is required, the best course of action is to consider the certification of a management system, in this case certification on ISO 27001, related to information security, since certification bodies, those who issue a certification, are accepted as highly trusted independent parties to ensure security is being properly managed by an organization.

As complement for the first part of this answer, implementing internal audit process is mandatory for certification, so if you get certified, besides being capable to provide results of a third-party audit, you also ensure you are capable to perform a first-party audit if demanded by a client.

In cases where a second-party audit is required, you can offer your certification's, or maintenance's, audit report as an option for your client.

This article will provide you further explanation about certification (third-party audit):

- Should your company go for the ISO 27001 / ISO 22301 certification? https://advisera.com/27001academy/iso-27001-certification/

This material will also help you regarding types of audit:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/